The problem statement is, "Create a program that will open a socket (in the binary .exe) and send data to the service so that through the service you gain access to the secret answer"..Using IDA Pro I have identified the socket as Port 23 (Telnet). I'm new to this so I dont really have any experience with reverse engineering or fuzzing, but I do have some tools available. I have some tools available and the suggested tools are Python, Perl, IDA Pro, OllyDbg, Hex editor

UNGH! I had a fairly long response typed in, and when I hit POST, my connection was timed out, and got lost.

In a nutshell, per your PM request to me, for further info, I'll respond here, so as to benefit any others who might learn from this.

Based on the tools list you provided, and the challenge you described, I'm assuming you're in some class (school, online, or other) where you're learning about process execution and / or reverse-engineering / assembly code programming, etc. You may not have prior experience fuzzing, but you're likely going to have to gain some, here, or sit with OllyDebug, IDA and your hex editor, and slowly go through the source code for the 'vulnerable' exe in question, looking for exploitable / overflowable buffer space from input variables. In a nutshell, you need to either analyze the code, or fuzz, to find input commands which allow more than the 'normal' length to be submitted to the process (you say telnet on port 23), so as to inject shellcode, direct process execution TO that shellcode, and then safely return from it, so as not to crash the target system, and force or instantiate a reboot, in the process, and waste all of your efforts.

Are you given a copy of said target exe to test with? If not, you might need to do some reconnaissance, such as banner grabbing, etc, to get exact version, etc, and see if you can obtain a copy from the net, somewhere, as having a local copy to test against is often easier and helpful. If you ARE given a copy (or you obtain one,) well, then at least you have better opportunity to learn, as crashing your own system or the running exe process and restarting the process or rebooting is easy for you to do.

Either way, you've pretty much got to examine the possible inputs and values for the service, to see if one or more will crash the service, if you enter an excessive amount of data (typically, send the expected command and an inordinate amount of 0x42 (hex for A) or other characters, to try to crash the running process. You'd then shorten this amount of data down, until you reach a point where you DON'T crash the service anymore, see if that amount of data is enough to allow you to upload shellcode and pass execution to it, etc.

I'm not going to give you a full tutorial on fuzzing and buffer overflows here, as a bit of research on Google (or insert your favorite search engine here) will yield plenty of them. Assumably the idea of your course / challenge is to teach you, and to show you how to learn about these things on your own, so I'm not going to spend a ton of time pointing you in that direction. (The fact that you found EH-net and posted here, is a good beginning, and shows your desire to try to learn...) One of the best / most well-known tutorials / examples can be found all over the net, but here's one location for it:

I wish you luck, and if you hit a point where you can't seem to progress, feel free to ask further questions, etc., and I'm sure that I, or another member, will try to give you some subtle hints and such to get you past your roadblock, and moving forward, again But you'll need to spend some time learning, and trying things out, first, as we're not here to simply hand you the answers to your homework assignments. :-)

If time / money permit, and what you're working on is self-paced, you might consider, anyway, looking at OSCP or eLearnSecurity's training, as both cover fuzzing and buffer overflows, in more detail, and might help. But regardless, you'll need to spend some more time coming up to speed on these, to get past this exercise / challenge you're working on.

Good luck, SRVblackhat, and keep us posted on your progress!

Last edited by hayabusa on Wed Aug 04, 2010 7:53 am, edited 1 time in total.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

@hayabusa ... vi/ed/nano/pico/wordpad/notepad is your friend. This has happened to me plenty of times. I'll begin to answer a post here, but immediately copy it over to a text file, answer it there, then post it back here. I'm tempted to answer this, but it would be booklong, therefore I stood away. I may re-visit this when I have some more time

@sil - exactly... I've decided, anytime I have something long, I'll be copy / pasting it in, from here on. (This was the first time EH-Net had timed out on me, during a long post... surprising, I guess... so it caught me offguard) And I agree, on the 'booklong' thread, thus, my pointing him in a general direction, and giving him a place to start. If he gives more detail, after showing he's working on it, I'm happy to keep assisting, but I don't want to 'hand him the keys to the ferrari'

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'